By now several of the FtB have commented on the bomb threats emailed regarding Concordia University.
I wish “godspeed” to the investigators, in this case.
I wonder if there are any of the RCMP working the case that I briefed on e-mail backtracking, in the spring of 1993. … There was an unfortunate at a university in Canada, who went to the rest room and stayed logged in at a public terminal, when a “friend” leaned over and sent a threatening message to [email protected]. That server had gone online a few days earlier by my hand, after considerable herky-jerky between DARPA (who funded the “research” effort) my bosses at Trusted Information Systems – a small time defense contractor – and the Executive Office of The President (EOP). There were concerns about security (of course!) that the email server not be hacked, but to be honest it simply hadn’t occurred to me that there would be random assholes in the world who thought that sending a message like:
Hey Mr President, I’m gonna come kill you.
was a funny idea. That’s not the actual message* but it was similarly casual and – not particularly serious.
The thing about threats is: you need to take them seriously. It’s the job of threat-takers to take them seriously. Their adrenaline starts pumping. They start burning calories looking at every open window, every line of attack, every hold in schedules, or potholes a target drives over, or… anything. Making a threat reaches into your enemy’s heart and makes them scared – it wastes their time and puts them on a defensive posture.
So naive little Marcus found himself in Washington rush hour traffic in his little white Honda, hurrying in to teach the US Secret Service how to back-track emails. All things considered it was pretty exciting. For little Marcus. There were serious people in attendance, including our Secret Service liaison officer: SSA Delta Priest. Delta was endowed by her parents with a perfect secret agent name, but I was immediately confident that she was a Serious Person with a Serious Job who was, no kidding, serious. It came to pass that Fred Avolio, my boss at the time, and I, gave an extemporaneous workshop on digital forensics, including how to back-track the ‘hops’ an email message took, based on the SMTP recipient: transactions in the header, and what fields needed to be subpoena’d from which ISPs, etc. SSA Priest sort of reminded me of my mom, except she carried a matte stainless-steel .375 snubnose and didn’t talk anywhere near as much, and the other US Secret Service folks were quiet, serious, and attentive. Part way through the class, two guys quietly walked into the back of the room, dressed head-to-toe in ninja garb: tacticool web gear, carrying suppressed H&K MP5Ds, knee pads, elbow pads. Serious.
There were phone calls and apparently a few folks from our class talked to other people at the Royal Canadian Mounted Police, who saddled up some horses and rounded up some syslogs and then talked to that person who went to the bathroom and forgot to log out. And, of course, their friend said they thought they were being funny. You can bet Delta Priest was “like, LOL.” Not. So Not.
As the US slides into a totalitarian dictatorship, I do not look forward to seeing the US Secret Service and its kin become my opponents. Because – they will. I fear them, because they are fearsome.
Meanwhile, some silly shitheads have made the mistake of sending threatening Emails per Shiv and Caine and it looks like the kind of goofy-ass low-rent silly crap from gamergate and the slymepit.
I don’t pity them, because their tradecraft is contemptible. Unless they were amazingly clever, their best chance is to blame the Russians and say it was cyberespionage.
Why do I say their tradecraft is contemptible? Unless the input size of their message was different from what was posted, they are toast. That’s one example (there are others) but, for it to be safe, that message would have had to have been carefully assembled, by hand, in the past, in a dead location, by a non-agent, before it was sent. Or, it was sent by an idiot. Like Mabus. Given the gamergater-like quality of the message, I’ll be surprised if they haven’t been caught by the time I hit ‘post.’
*It occurs to me that I probably may have the original email in question in my email archives, because I had an automated system that detected certain patterns and forwarded alerts (how do you think the Secret Service learned about it in the first place?!)
What would good tradecraft look like, in this situation? An email sent by someone who acknowledges everything then says, “so, shoot me.” And means it. If I cared to, I could probably identify someone who could quite honestly and coolly describe their intent to kill the president, because: they would be perfectly happy to. The problem security practitioners need to deal with is that they’re in the wilderness of mirrors, looking at mirrors. We are heading into a time of mirrors. I’m OK with that because I am a practitioner of mirrorhood, and so are we all. The perfect kung fu punch, in the wilderness of mirrors is the opponent who tells you “I am going to punch you in the face, now.”
The deadliest ninja plants the knife where they know their enemy will step on it in a year.
Yes, and to the friend who asked me what that plaque from the US Secret Service was for, well, now you know. I hope the guy in Canada enjoyed the poutine.
Marcus Ranum says
PS – I still ponder Trent the Uncatchable’s punch, which is to: run away.
Owlmirror says
Did you receive any of those postings/e-mails with a .sig block that had stuff like:
plutonium centrifuge detonation assassination target
POTUS NYC dirty suitcase bomb reservoir anthrax
spores ricin VX mustard gas Oh hello there NSA/FBI agent!
(usually much longer, of course)
Marcus Ranum says
Owlmirror@#2:
I can confirm that at one point [email protected] was subscribed to the Rush Limbaugh mailing list many times, that it was so redundant that compression took care of it.
chigau (ever-elliptical) says
The deadliest ninja plants the knife in your spleen. Now. Whilst making tea.
militantagnostic says
Apperantly the suspect now in custody is a PhD student of Lebanese origin.
http://www.cbc.ca/news/canada/montreal/hisham-saadi-concordia-hoax-bombing-1.4007544
Marcus Ranum says
militantagnostic@#5:
Yeah, I saw a couple of reports on that. It sounds like the guy was not “serious” – no attempt to hide, really. What a doofus. He should have expected to get caught very quickly. I’m sure he’ll say something stupid like “just kidding” and the RCMP/CSE will say “we’re not” and things will go downhill from there.
Notes on making threats:
– motive
– method
– opportunity
You want to indicate (even if it’s a fake threat) that you’ve got credible methods. I.e.: “there is a bomb” is going to get people’s attention. “There is a bomb and if you find it before it goes off please tell the bomb squad it’s TATP and to be careful, I’m not trying to hurt any of them.” And opportunity is signalled by making it clear you’ve done recon. Motive is best conveyed with specific demands that indicate thought has gone into them.
Clearly the threat analysts, especially after the mosque shooting, took this seriously enough (and I think they were absolutely spot on in evacuating the buildings) So when this gomer says “I was just kidding” he’s going to have some work, because he put a lot of effort into his “joke.”
I also like that the reporting didn’t immediately jump to the argument that the bomber was “crazy” They expect he’s going to have 16t of bricks land on him, and so do I.